Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-08-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
edeb88630fb0200ef6ead73c73e01a1f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
edeb88630fb0200ef6ead73c73e01a1f.exe
Resource
win10v2004-20220812-en
General
-
Target
edeb88630fb0200ef6ead73c73e01a1f.exe
-
Size
916KB
-
MD5
edeb88630fb0200ef6ead73c73e01a1f
-
SHA1
7ffa23f2a754abbd398d17cc3dab54e8794a9f2e
-
SHA256
c1b694fc1a8292381f26293bd47a8093c49d48874937be131fa2e8f35e847b58
-
SHA512
baeef2af4a9698642cf6097d4602a9a8f330b240b7d4be9424949e2549a55aa8d407352c37a67d664374355f4ef43f282b98d0df6059f054464342692f7e3072
Malware Config
Extracted
redline
nam3
103.89.90.61:34589
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
5
176.113.115.146:9582
-
auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 12 IoCs
Processes:
resource yara_rule \Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline behavioral1/memory/1480-86-0x00000000001F0000-0x0000000000234000-memory.dmp family_redline behavioral1/memory/1108-85-0x0000000000B70000-0x0000000000B90000-memory.dmp family_redline behavioral1/memory/1916-84-0x00000000000D0000-0x00000000000F0000-memory.dmp family_redline \Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline \Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline -
Executes dropped EXE 7 IoCs
Processes:
F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exejshainx.exeEU1.exepid process 1052 F0geI.exe 1700 kukurzka9000.exe 1108 namdoitntn.exe 1272 real.exe 1480 safert44.exe 1916 jshainx.exe 728 EU1.exe -
Loads dropped DLL 11 IoCs
Processes:
edeb88630fb0200ef6ead73c73e01a1f.exepid process 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe 832 edeb88630fb0200ef6ead73c73e01a1f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 7 IoCs
Processes:
edeb88630fb0200ef6ead73c73e01a1f.exedescription ioc process File opened for modification C:\Program Files (x86)\Company\NewProduct\EU1.exe edeb88630fb0200ef6ead73c73e01a1f.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe edeb88630fb0200ef6ead73c73e01a1f.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe edeb88630fb0200ef6ead73c73e01a1f.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe edeb88630fb0200ef6ead73c73e01a1f.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe edeb88630fb0200ef6ead73c73e01a1f.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe edeb88630fb0200ef6ead73c73e01a1f.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe edeb88630fb0200ef6ead73c73e01a1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
real.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 real.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString real.exe -
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F8D1801-1D44-11ED-991C-C6F54D7498C3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F896E81-1D44-11ED-991C-C6F54D7498C3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367406344" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
namdoitntn.exejshainx.exesafert44.exereal.exepid process 1108 namdoitntn.exe 1916 jshainx.exe 1480 safert44.exe 1272 real.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
namdoitntn.exejshainx.exesafert44.exedescription pid process Token: SeDebugPrivilege 1108 namdoitntn.exe Token: SeDebugPrivilege 1916 jshainx.exe Token: SeDebugPrivilege 1480 safert44.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exepid process 1492 iexplore.exe 1528 iexplore.exe 936 iexplore.exe 1788 iexplore.exe 732 iexplore.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1788 iexplore.exe 1788 iexplore.exe 936 iexplore.exe 936 iexplore.exe 1528 iexplore.exe 1528 iexplore.exe 732 iexplore.exe 732 iexplore.exe 1492 iexplore.exe 1492 iexplore.exe 1596 IEXPLORE.EXE 1596 IEXPLORE.EXE 1600 IEXPLORE.EXE 1600 IEXPLORE.EXE 380 IEXPLORE.EXE 380 IEXPLORE.EXE 1200 IEXPLORE.EXE 1200 IEXPLORE.EXE 1600 IEXPLORE.EXE 1600 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
edeb88630fb0200ef6ead73c73e01a1f.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exedescription pid process target process PID 832 wrote to memory of 1788 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1788 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1788 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1788 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 732 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 732 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 732 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 732 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1528 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1528 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1528 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1528 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1492 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1492 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1492 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1492 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 936 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 936 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 936 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 936 832 edeb88630fb0200ef6ead73c73e01a1f.exe iexplore.exe PID 832 wrote to memory of 1052 832 edeb88630fb0200ef6ead73c73e01a1f.exe F0geI.exe PID 832 wrote to memory of 1052 832 edeb88630fb0200ef6ead73c73e01a1f.exe F0geI.exe PID 832 wrote to memory of 1052 832 edeb88630fb0200ef6ead73c73e01a1f.exe F0geI.exe PID 832 wrote to memory of 1052 832 edeb88630fb0200ef6ead73c73e01a1f.exe F0geI.exe PID 832 wrote to memory of 1700 832 edeb88630fb0200ef6ead73c73e01a1f.exe kukurzka9000.exe PID 832 wrote to memory of 1700 832 edeb88630fb0200ef6ead73c73e01a1f.exe kukurzka9000.exe PID 832 wrote to memory of 1700 832 edeb88630fb0200ef6ead73c73e01a1f.exe kukurzka9000.exe PID 832 wrote to memory of 1700 832 edeb88630fb0200ef6ead73c73e01a1f.exe kukurzka9000.exe PID 832 wrote to memory of 1108 832 edeb88630fb0200ef6ead73c73e01a1f.exe namdoitntn.exe PID 832 wrote to memory of 1108 832 edeb88630fb0200ef6ead73c73e01a1f.exe namdoitntn.exe PID 832 wrote to memory of 1108 832 edeb88630fb0200ef6ead73c73e01a1f.exe namdoitntn.exe PID 832 wrote to memory of 1108 832 edeb88630fb0200ef6ead73c73e01a1f.exe namdoitntn.exe PID 832 wrote to memory of 1272 832 edeb88630fb0200ef6ead73c73e01a1f.exe real.exe PID 832 wrote to memory of 1272 832 edeb88630fb0200ef6ead73c73e01a1f.exe real.exe PID 832 wrote to memory of 1272 832 edeb88630fb0200ef6ead73c73e01a1f.exe real.exe PID 832 wrote to memory of 1272 832 edeb88630fb0200ef6ead73c73e01a1f.exe real.exe PID 832 wrote to memory of 1480 832 edeb88630fb0200ef6ead73c73e01a1f.exe safert44.exe PID 832 wrote to memory of 1480 832 edeb88630fb0200ef6ead73c73e01a1f.exe safert44.exe PID 832 wrote to memory of 1480 832 edeb88630fb0200ef6ead73c73e01a1f.exe safert44.exe PID 832 wrote to memory of 1480 832 edeb88630fb0200ef6ead73c73e01a1f.exe safert44.exe PID 832 wrote to memory of 1916 832 edeb88630fb0200ef6ead73c73e01a1f.exe jshainx.exe PID 832 wrote to memory of 1916 832 edeb88630fb0200ef6ead73c73e01a1f.exe jshainx.exe PID 832 wrote to memory of 1916 832 edeb88630fb0200ef6ead73c73e01a1f.exe jshainx.exe PID 832 wrote to memory of 1916 832 edeb88630fb0200ef6ead73c73e01a1f.exe jshainx.exe PID 832 wrote to memory of 728 832 edeb88630fb0200ef6ead73c73e01a1f.exe EU1.exe PID 832 wrote to memory of 728 832 edeb88630fb0200ef6ead73c73e01a1f.exe EU1.exe PID 832 wrote to memory of 728 832 edeb88630fb0200ef6ead73c73e01a1f.exe EU1.exe PID 832 wrote to memory of 728 832 edeb88630fb0200ef6ead73c73e01a1f.exe EU1.exe PID 936 wrote to memory of 1060 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1060 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1060 936 iexplore.exe IEXPLORE.EXE PID 936 wrote to memory of 1060 936 iexplore.exe IEXPLORE.EXE PID 1788 wrote to memory of 1200 1788 iexplore.exe IEXPLORE.EXE PID 1788 wrote to memory of 1200 1788 iexplore.exe IEXPLORE.EXE PID 1788 wrote to memory of 1200 1788 iexplore.exe IEXPLORE.EXE PID 1788 wrote to memory of 1200 1788 iexplore.exe IEXPLORE.EXE PID 1528 wrote to memory of 380 1528 iexplore.exe IEXPLORE.EXE PID 1528 wrote to memory of 380 1528 iexplore.exe IEXPLORE.EXE PID 1528 wrote to memory of 380 1528 iexplore.exe IEXPLORE.EXE PID 1528 wrote to memory of 380 1528 iexplore.exe IEXPLORE.EXE PID 732 wrote to memory of 1600 732 iexplore.exe IEXPLORE.EXE PID 732 wrote to memory of 1600 732 iexplore.exe IEXPLORE.EXE PID 732 wrote to memory of 1600 732 iexplore.exe IEXPLORE.EXE PID 732 wrote to memory of 1600 732 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\edeb88630fb0200ef6ead73c73e01a1f.exe"C:\Users\Admin\AppData\Local\Temp\edeb88630fb0200ef6ead73c73e01a1f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:732 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:23⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nN6Z42⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\EU1.exe"C:\Program Files (x86)\Company\NewProduct\EU1.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
274KB
MD5eb95bd35b211240a79cdae0f92b3c3be
SHA1e38380e708f8edac8c22339222f53e5f4d31edeb
SHA256ca001eae20029c736e73e2fc9e77a1e7eac73d863b05a9f580ed04b003ffba47
SHA51213c1c49bd37a52920d09c6895883da2a33a4f79fe11a1fe2fb53e69d11beb515d8e98ad77ff76a29e662a1f84920311285c28d11eb85c68a2e3cdfd9c2563d48
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
669KB
MD5b5942a0be0b72e121dadb762044f38cc
SHA1885909607a9747c11eac6cc47b775ad947980c5e
SHA256c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1
SHA512d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD58cf8b8cf011711b46ad3d511c0b27faa
SHA1f945b46f2700ee10ee4a61fdfa48e4c73581cc4e
SHA25631fcb94ee5d75d8d7e66e58bf01b0b02a0354f109a9c4d6216040a170d090213
SHA512b648bbde6d15691e173db4fb50b114cac92f1c57b1817d807b86cbf2f8280df02577a96bcbc09fbf2b24901546d4cffa00348fef1bbca67c57240af57cffb650
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F8D1801-1D44-11ED-991C-C6F54D7498C3}.datFilesize
3KB
MD52f80d293247a99cc3aa9b54af28cdb89
SHA115625f74450e2ed5c874cc899ae91bc986a145ef
SHA25682caaf51f0d273d2412a222b26057c85bc4cec4513ac9df555792e815e22958b
SHA512f8a25e8b781572648dc11f8010af1fbbf38e59d81aa8753dd9b0705c1a968272d3102b2e287490dce0f51c4e943e7cea09f2f3d2b740a2686141a91c3c265e0e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F9015A1-1D44-11ED-991C-C6F54D7498C3}.datFilesize
3KB
MD57345505b5f4d933b4b71b5f2db6a1cd4
SHA10fd78dee25bb9b25f85278c170d8ca31f01ebd01
SHA25689fb533e466135157e6d7bc0dc2b33beff26a8bbfa2e64a4d6ee399731b219ca
SHA512ecc400c3bad8ac47955635bf7980f186ca1bc574f144c1ef931dd8e8ce17b522944ed3db1aed49b1359a1569d1a808995005231bdc06ca8e5a1f0e64e84df3c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\56N8Z2GS.txtFilesize
608B
MD50d1fd87f82c98962ec07e7c816c7f474
SHA14018d210236453a2775da7f950f40c63a32cecbf
SHA25632d7a1b180b70d594c2ea01a4abf7940ed71be2ae6bece79d2022b7392daaee4
SHA512fba5deb7277f6fa292dd44c2225595b643e8f9322b056656bcafb0eca4d826cf04bb2d8bd60c7539fbb9a489e2225d10b888f247995d333b833fb20f35b84f5a
-
\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
274KB
MD5eb95bd35b211240a79cdae0f92b3c3be
SHA1e38380e708f8edac8c22339222f53e5f4d31edeb
SHA256ca001eae20029c736e73e2fc9e77a1e7eac73d863b05a9f580ed04b003ffba47
SHA51213c1c49bd37a52920d09c6895883da2a33a4f79fe11a1fe2fb53e69d11beb515d8e98ad77ff76a29e662a1f84920311285c28d11eb85c68a2e3cdfd9c2563d48
-
\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
274KB
MD5eb95bd35b211240a79cdae0f92b3c3be
SHA1e38380e708f8edac8c22339222f53e5f4d31edeb
SHA256ca001eae20029c736e73e2fc9e77a1e7eac73d863b05a9f580ed04b003ffba47
SHA51213c1c49bd37a52920d09c6895883da2a33a4f79fe11a1fe2fb53e69d11beb515d8e98ad77ff76a29e662a1f84920311285c28d11eb85c68a2e3cdfd9c2563d48
-
\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
339KB
MD5501e0f6fa90340e3d7ff26f276cd582e
SHA11bce4a6153f71719e786f8f612fbfcd23d3e130a
SHA256f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b
SHA512dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69
-
\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
669KB
MD5b5942a0be0b72e121dadb762044f38cc
SHA1885909607a9747c11eac6cc47b775ad947980c5e
SHA256c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1
SHA512d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7
-
\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
669KB
MD5b5942a0be0b72e121dadb762044f38cc
SHA1885909607a9747c11eac6cc47b775ad947980c5e
SHA256c565dd409f6d17997285f6fcecf851c56ddc3129c2a777529e8470290565ace1
SHA512d2a916738fca01b6b5a27639fbefcc7406e79f8493d8f69015c60d07d0341ab8aa8e4e3ab50208161b7398bef62b9837e11524ffefc502b9f09efc011974e3e7
-
\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
107KB
MD5bbd8ea73b7626e0ca5b91d355df39b7f
SHA166e298653beb7f652eb44922010910ced6242879
SHA2561aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e
SHA512625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f
-
\Program Files (x86)\Company\NewProduct\real.exeFilesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
\Program Files (x86)\Company\NewProduct\real.exeFilesize
275KB
MD5a2414bb5522d3844b6c9a84537d7ce43
SHA156c91fc4fe09ce07320c03f186f3d5d293a6089d
SHA25631f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173
SHA512408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60
-
\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
246KB
MD5414ffd7094c0f50662ffa508ca43b7d0
SHA16ec67bd53da2ff3d5538a3afcc6797af1e5a53fb
SHA256d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee
SHA512c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399
-
memory/728-80-0x0000000000000000-mapping.dmp
-
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1052-89-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1052-91-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1052-57-0x0000000000000000-mapping.dmp
-
memory/1052-121-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1052-99-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1052-90-0x00000000001B0000-0x00000000001C0000-memory.dmpFilesize
64KB
-
memory/1108-85-0x0000000000B70000-0x0000000000B90000-memory.dmpFilesize
128KB
-
memory/1108-64-0x0000000000000000-mapping.dmp
-
memory/1272-69-0x0000000000000000-mapping.dmp
-
memory/1272-102-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/1480-71-0x0000000000000000-mapping.dmp
-
memory/1480-88-0x0000000000250000-0x0000000000256000-memory.dmpFilesize
24KB
-
memory/1480-86-0x00000000001F0000-0x0000000000234000-memory.dmpFilesize
272KB
-
memory/1700-97-0x00000000002F0000-0x0000000000302000-memory.dmpFilesize
72KB
-
memory/1700-98-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/1700-61-0x0000000000000000-mapping.dmp
-
memory/1916-77-0x0000000000000000-mapping.dmp
-
memory/1916-84-0x00000000000D0000-0x00000000000F0000-memory.dmpFilesize
128KB